As a starting point, it would be good if you explain what the use case is - what it does that's different to exec.Command, and how it does it? (My first thought was: could it be cgroups or namespaces?)
There's no documentation, and the code is less than self-explanatory. Via some reverse-engineering I found: * It sets some magic environment variables like LL_FS_RO, LL_FS_RW * It reads in a binary blob "bin/sandboxer" (stored within the repo) and executes it in memory via a third-party library (github.com/liamg/memit) - presumably to avoid needing to set the execute bit on the binary, or to bypass any "noexec" protections on the filesystem. * Googling for those environment variables finds https://docs.kernel.org/admin-guide/LSM/landlock.html which shows use of a similar "sandboxer" binary I repeat: the binary blob that it executes is stored inside the git repo. Do I run arbitrary binary blobs downloaded from the Internet? Err, no thank you. If this isn't a trojan horse, it certainly looks like it could be, and there's no way to tell if it is or it isn't. So if you're going to do it this way, a key requirement for you is to establish a chain of trust to this binary. Either include the source code for "sandboxer", and the scripts required to build it from source; or sign the binary with some way to verify the signature back to a trusted source (which might be you, if you can persuade people that you are a trustworthy source). Or: don't include the binary at all, and give instructions for the user on how to build it themselves or download a binary from a trusted source (e.g. signed OS packages from well-known third-party sources). Maybe it's built from this? https://github.com/landlock-lsm/rust-landlock/blob/main/examples/sandboxer.rs If so, I wonder if it would be possible to implement what sandboxer.rs does directly in Go. Googling: "golang landlock" => https://github.com/landlock-lsm/go-landlock "golang linux security modules" => https://github.com/rogercoll/go-lsm If it's for use in exec.Command then it may still require building a wrapper binary, but at least it could avoid the Rust toolchain. -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/d/msgid/golang-nuts/260264d8-e95a-4343-bb08-fb6a8c2919f0n%40googlegroups.com.
